Main Menu

More on Hacking Back: Kerr Replies to Baker

In Stewart Baker’s latest post for why hacking is lawful if someone else did it first, he makes a textual argument and a policy argument. I find both extremely weak.

Stewart’s first argument is that it’s possible to read the statute as giving authorization rights to people who have rights in data rather than rights in computers because the statute doesn’t textually distinguish between computers and underlying data. The statute just doesn’t speak to that distinction, in Stewart’s view: It’s just an inkblot. So we can read the statute however we want.

If you read the whole statute, though, that’s plainly wrong. The statute repeatedly and consistently distinguishes between computers and data. The elements of the statute dealing with rights with computers are covered by the basic unauthorized access concept common to most of the different crimes listed in 1030(a). In contrast, the elements dealing with data are covered by the additional elements Congress required for the additional offenses listed in 1030(a). It’s one of the most basic divisions in the statute.

Here are the details, for those interested. In some cases, 18 U.S.C. 1030 imposes liability for mere unauthorized access to a computer, without more. The main example is 18 U.S.C. 1030(a)(3), the simple trespass statute for government computers: Unauthorized access to any government computer is a misdemeanor. No additional elements are required, and there’s no special requirement of obtaining or using stolen data found inside. On the other hand, several other sections have broader or more severe crimes for unauthorized access followed by obtaining data from inside the computer — with the punishment depending on whether data was obtained and what kind of data was obtained. For example, the crime of 1030(a)(2) criminalizes unauthorized access on any computer when the wrongdoer subsequently obtains any of three kinds of information from inside the computer:

(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;

There’s also a penalty enhancement to a felony if the value the information obtained is more than $5000. See 18 U.S.C. 1030(c). 1030(a)(1) works in a similar way. It has severe punishments based on the kind of data obtained: If the unauthorized access “obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations” — that is, national security information — then the offense becomes a major felony. 18 U.S.C. 1030(a)(4) works in the same way, too. It makes it a felony if the object of the hacking was to steal property and the hacker “obtains anything of value” — that is, valuable information.

As I read the statute, then, Congress was pretty careful to distinguish rights to computers — the trespass into the machine, covered by the unauthorized access prohibition — from rights to data — the extra elements of 1030(a) for the different crimes that Congress created. Given that, I don’t think it makes textual sense to read the unauthorized access prohibition as governed by rights in data. The statute is just not as mystifying and unclear as Stewart claims. (Also, what does it mean to “own” data? If someone copies this blog post and saves it on their computer without my consent, can I hack into the computer because I “own” that data? Concepts such as “owning” data and when data becomes “stolen” are notoriously difficult to work with — indeed, 18 U.S.C. 1030 was passed so that such questions didn’t need to be asked. It seems puzzling to reintroduce them sub silentio here.)

Second, a lot of Stewart’s argument about authorization boils down to a policy argument: Justice demands this reading of the statute because the Chinese are invading our computers and we need to stop them. I had a feeling Stewart’s proposal was a response to a specific situation he had in mind. I guess that’s the one. In his post, Stewart suggests that a proper jurisprudential sophistication frees judges to do whatever they want with the statute to deal with the Chinese. With their newfound sense of sophistication, judges should go forth and devise a set of principles for interpreting “authorization” by which it is not a crime for big U.S. companies to go after their stolen data when the Chinese take that data while it is still illegal for people to hack back when they’re not very good at it, the RIAA wants to do it, or there isn’t really a good reason for it. Stewart doesn’t actually offer any legal basis for that distinction. He doesn’t have an argument for where the line should be or even what principles should be used to interpret authorization. He just wants judges to go figure this stuff out somehow.

If someone needs to figure this stuff out, though, it’s a job for Congress instead of the courts. Stewart isn’t just reading the statute. He’s asking judges to write a new statute that he thinks would be better than the one we now have. Maybe Congress should consider the kind of exception Stewart wants. It’s hard to tell, as Stewart hasn’t told us what the new statute should look like. (Instead, he has only told us the result the statute should reach on one case.) But as long as we’re only talking about what the statute presently means — that is, what Congress passed already, and what courts have to interpret — I don’t see a plausible way to read “authorization” to get to the result Stewart wants.

UPDATE: If I were Stewart, I would try to rely on the necessity defense instead of creative readings of authorization to get where he wants to go. Stewart’s argument is best made not as the claim that this isn’t unauthorized, but that it is unauthorized conduct justified by the specific circumstances he has in mind. That’s an argument for the affirmative defense of necessity. Necessity is a nice and vague exception, which is helpful for Stewart’s purposes. It’s a controversial exception as a matter of federal law, but at least there’s some support for it. And it seems to be really what Stewart has in mind. In my view, it would be better to try to make that argument directly rather than by appeals to justice or interpretations of “authorization.”